Skip to main content

Subnet delegation and API Management

When updating some network related ARM templates I stumbled on the concept of subnet delegation.

What is subnet delegation?

Subnet delegation enables you to designate a specific subnet for an Azure PaaS service of your choice that needs to be injected into your virtual network. When you delegate a subnet to an Azure service, you allow that service to establish some basic network configuration rules for that subnet, which help the Azure service operate their instances in a stable manner. One of the advantages is that the service can configure for example routing policies or network security groups. 

Subnet delegation and API Management

When I was updating our virtual network/subnet templates I stumbled on the delegation section.

"delegations": [
  {
    "id": "string",
    "properties": {
      "serviceName": "string"
    },
    "name": "string"
  }
]

After doing some research about the concept I opened the subnet configuration in the Azure portal I noticed that I can select API Management from the pulldown. In the online documentation I cannot find any information about the benefits for selecting this option. 

If you integrate an API Management service in an internal network and you route the internet traffic through an Azure Firewall you will have to make quit what adjustments in the terms of route tables and NSGs. These are documented in the common network configuration issues section of the page which describes How to use Azure API Management with virtual networks. So using subnet delegation whould be nice if it solves this common issues.

Microsoft support

Because I could not find any information in the Microsoft documentation and I had not the time to do R&D with this setting I opened a support call. The conclusion of the communication with the support engineer is as follows:

  • The subnet delegation setting is doing anything currently (November 2020).
  • The idea is that when Microsoft have the implementation backing it you would delegate the subnet to the service and Microsoft will enforce the policies as defined in the Common Network Configuration Issues so the API Management service will stay operating.


Labels:

Comments

Post a Comment

Popular posts from this blog

Assign an existing certificate to your IIS website with WiX

Recently I had to change the bindings of existing IIS hosted websites and APIs from HTTP to HTTPS. They are installed with a MSI file created with the WiX Toolset . Because I have to use an already on the server installed certificate I cannot use the Certificate element from the IIS Extension because this element only supports installing and uninstalling certificates based on PFX files. After doing some research I found the blog article Assign Certificate (Set HTTPS Binding certificate) to IIS website from Wix Installer which described the usage of Custom Actions for this purpose. I adopted this approach and rewrote the code for my scenario. With WiX I still create the website. <iis:WebSite Id="WebSite" ConfigureIfExists="yes" AutoStart="yes" Description="MyWebsite" Directory="IISROOT" StartOnInstall="yes"> <iis:WebAddress Id="WebSite...
Post a Comment
Read more

Permantly delete an AD object

At the moment I am busy with PowerShell DSC scripts that also create objects within the Active Directory. Because it's work in progress you have to delete those objects regularly. Witin this sandbox environment the recycle bin feature is enabled so the objects are kept 30 days.  To permantly delete such objects (so you have a clean testing situation) you can use the following PowerShell command. Get-ADObject -filter {sAMAccountName -eq "<name of object>$"} -includeDeletedObjects -property * | Remove-ADObject
Post a Comment
Read more

Make steps conditional in multi-stage YAML pipelines

To make the switch from the graphical release pipelines in Azure DevOps I am missing two features. The first one is to be able to defer a deploy and the second one is to exclude certain deployment steps without the need for editing the YAML file.  The defer option is something Microsoft has to solve in their Azure DevOps proposition. It's a feature which you have in the graphical release pipeline but what they have not implemented yet in their YAML pipeline replacement. Approvals and certain gate conditions are implemented on the environment but the defer option is still missing .  Pipeline The conditional deployment option can be implemented with the help of runtime parameters and expressions . In the parameter section you define boolean parameters which will control the deploy behavior. With the expressions you can control which stage/job/task should be executed when the pipeline runs. In the below YAML sample I experimented with conditions in the azure-pipelines.yml ...
Post a Comment
Read more